Renewals in German employee data protection?

On 9 August 2023, the Federal Ministry of the Interior and Community published a first draft bill on amendments to the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) - Draft BDSG.

In May 2023, the Federal Ministry of Labour and Social Affairs and the Federal Ministry of the Interior and Community drafted a key points paper for a planned Employee Data Protection Act.

We have taken a closer look at these legislative plans and how these are related to each other:

I. Amending draft on Federal Data Protection Act

In 2018, the BDSG was last comprehensively amended in the course of the introduction of the European Union General Data Protection Regulation (GDPR). It was intended not only to regulate data protection in Germany, but also to complement and concretise the GDPR because it contains numerous so called opening clauses (see more on this below). The BDSG still fulfils this function today. The Draft BDSG does not lose this function and brings few innovations for practice. One reason for this is that only the first two parts of the BDSG are being amended and not the entire law.

The Draft BDSG has not yet been finalised by the federal government, so there may still be some adjustments to the proposed regulations, which we will monitor closely.

Currently, the planned revisions can be categorised into three main points:

1. Rules on video surveillance of publicly accessible spaces

The BDSG previously regulated the conditions under which video surveillance in publicly accessible spaces is permissible. The respective provision of the Draft BDSG now only covers surveillance by public bodies, thereby implementing a ruling by the German Federal Administrative Court (Bundesverwaltungsgericht).

On 27 March 2019, the German Federal Administrative Court (Case No. 6 C 2.18) clarified that the surveillance of publicly accessible spaces by non-public bodies (in this case, a dental practice) cannot be based on the BDSG. Instead, the provisions of the GDPR must be applied. According to this, video surveillance is only lawful "if processing is necessary for the purposes of the legitimate interests pursued by the controller [...], except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject [...]" As a result, many non-public bodies have adapted their surveillance to the GDPR, bringing any privacy statements in line with the stricter requirements of Article 13 GDPR.

By placing the case law of the German Federal Administrative Court into a legal framework years later, the current legal situation remains unchanged.

In the future, the Draft BDSG will only regulate the surveillance of publicly accessible spaces by public bodies, such as the entrance area of a municipal swimming pool. Surveillance by non-public bodies will continue to be governed by the GDPR.

2. Duty to provide information in conflict with trade and business secrets

A person's right to information regarding the processing of personal data concerning him or her is restricted by the Draft BDSG. According to the GDPR, a person has the right to be informed whether and to what extent his or her personal data is being processed. According to the Draft BDSG, the right to information does not prevail if the information would disclose a trade or business secret.

3. Data Protection Conference and leading data protection authorities

In addition, the Data Protection Conference will become institutionalised. The Federal Commissioner for Data Protection and Freedom of Information and the supervisory authorities of the federal states will form the Conference of Independent Data Protection Supervisory Authorities of the federal government and the federal states (Data Protection Conference). However, because of the constitutional limits of Germany's federal system, the Data Protection Conference will not be competent to make binding decisions.

Under the Draft BDSG, businesses with projects across several German federal states may be governed by a sole data protection supervisory authority in the state where the project is located. This will avoid legal uncertainty caused by the decisions of different federal state authorities.

II. Plans for an Employee Data Protection Act

Beyond the Draft BDSG, a proposed Employee Data Protection Act (Beschäftigtendatenschutzgesetz) is on the horizon:

The German government is working on a law to improve data protection for employees. This is part of the coalition agreement. Furthermore, this effort is also based on a ruling by the European Court of Justice (ECJ) that casts doubt on the conformity with European law of Section 26 (1) sentence 1 of the BDSG, the section of the BDSG that governs data processing in the employment relationship.

The General Data Protection Regulation (GDPR) conclusively regulates data protection and creates uniform legal provisions throughout Europe. However, certain opening clauses allow member states to enact their own individual provisions. The provision of BDSG relating to the protection of employee data, established in Germany prior to the GDPR, was predominantly unchanged.

The ECJ passed a ruling on 30th March 2023 (Case No. Case C-34/21) which ruled that a section of Hessian Employee Data Protection Act (Hessisches Landesdatenschutzgesetz, HDSIG), nearly equivalent to Section 26 (1) sentence 1 of the BDSG, was not in agreement with European legislation. This particular clause was overly broad in its scope. A national law must specify the rules of the GDPR and may not basically reproduce them.

The previous view of the legal literature that Section 26 (1) sentence 1 of the BDSG was not in conformity with EU law was confirmed by the ruling. However, the court decision entailed only a few changes to the existing legal situation, because as the ECJ has stated, Section 6 (1) (b) and (f) of the GDPR, which is applicable instead of Section 26 (1) sentence 1 of the BDSG, provides for similar rules. Employers must take care here to adapt their data protection notices and other data protection documents.

To qualify as a "specification" of the GDPR, a national regulation must also focus on safeguarding the employee's interests through the implementation of specific measures.

The Employee Data Protection Act planned by the German government is now intended to regulate specific requirements in the data processing of employees in line with the opening clauses of the GDPR.

In May 2023, the Federal Ministry of Labour and Social Affairs and the Federal Ministry of the Interior and Community drafted a key points paper for a planned Employee Data Protection Act.

We have summarised the most important points for you:

1. Solo self-employed platform workers to be protected, too

Solo self-employed platform workers shall be entitled to receive the same protection as employees. Due to the specific structures and business models in the platform economy and with regard to the processing of their personal data, they need similar protection.

2. Limits to employee monitoring

Permanent monitoring of employees will be limited to exceptional cases, for example to ensure the safety of employees. In particular, no complete movement and performance profiles may be created to evaluate employees. Covert surveillance measures may only be used if there is no other way to clarify the concrete suspicion of a criminal offence in the company.

3. Use of artificial intelligence

The employee shall have transparency regarding the implementation of artificial intelligence.

4. Application procedure

Legal certainty is to be created as to which questions are inadmissible in the job interview and which tests and examinations may be carried out. Information on aptitude and qualifications must always be requested directly from the applicant. Medical examinations may only be carried out in limited circumstances where they are necessary to perform the job or are legally required, such as for pilots.

5. Particularly sensitive data

Particularly sensitive data, such as religious beliefs, political opinions or state of health, may only be processed exceptionally in typical case groups. These cases will be specifically defined in the planned law. Biometric data may only be processed in specific exceptional cases.

6. Regulations on the balancing of interests

Criteria are to be defined as to when data processing is necessary in order to make the often necessary balancing of interests more manageable. These comprise factors such as the duration and frequency of processing, as well as the type and scope of employee data collected.

7. Clear regulations for consents

The current legal framework emphasises the significance of obtaining consent for data processing. The requirements for the voluntariness of consent are to be further specified. The strictest rules will apply in the context of job applications, as applicants are under particular pressure here.

8. Data processing in corporations

The aim of the ministries is to establish additional legal certainty and flexibility in the handling of data by corporations. Consequently, the authorization of data transfers within a corporation will be explicitly regulated for relevant practical cases.

9. Secure and supplement data subjects' rights

The data subject rights granted by the GDPR, such as the right to information or the right to erasure, are to be supplemented if the specifics of the employment relationship so require.

10. Bring your own device regulations

The use of private laptops and smartphones for business purposes is common practice and, while it can bring many benefits, it can also pose a risk of access to private data. It is now to be examined which specific measures will be required to safeguard employee data within bring your own device solutions.

11. Strengthen co-determination

Employee co-determination in the area of data protection in the workplace is to be further developed. To this end, the Works Council Modernisation Act (Betriebsrätemodernisierungsgesetz) is to be evaluated in the light of digitalisation.

12. Collective agreements

It is to be examined whether and to what extent amendments can be made to collective agreements (such as a works council agreement / Tarifvertrag) as a regulation for data processing in the employee context is beyond the current legal framework.

Proposals for the key points paper are being discussed in a stakeholder dialogue. Now a first draft bill for the new Employee Data Protection Act remains to be seen.